On Thu, Jul 5, 2018 at 7:24 AM Vlad Buslov <vla...@mellanox.com> wrote:
> attr_size = tcf_action_full_attrs_size(attr_size);
>
> if (event == RTM_GETACTION)
> - ret = tcf_get_notify(net, portid, n, &actions, event, extack);
> + ret = tcf_get_notify(net, portid, n, actions, event, extack);
> else { /* delete */
> - ret = tcf_del_notify(net, n, &actions, portid, attr_size,
> extack);
> + ret = tcf_del_notify(net, n, actions, &acts_deleted, portid,
> + attr_size, extack);
> if (ret)
> goto err;
> return ret;
> }
> err:
> - tcf_action_put_lst(&actions);
> + tcf_action_put_many(&actions[acts_deleted]);
> return ret;
How does this even work?
You save an index in 'acts_deleted', but you pass &actions[acts_deleted]
to tcf_action_put_many(), which seems you want to start from
where it fails, but inside tcf_action_put_many() it starts from 0
to TCA_ACT_MAX_PRIO, out-of-bound access at least?
